Jasig › Jasig CAS › CAS Developers

Re:[cas-user] CASsify application with role-based security constraints in web.xml?

2 messages Options
Embed this post
Permalink
Scott Battaglia-2

Re:[cas-user] CASsify application with role-based security constraints in web.xml?

Reply Threaded More More options
Print post
Permalink
I'm hijacking this thread to cas-dev.

Would it make sense for us to have the wrapper filter configured such that it responds to requests about role information by checking the principal's attributes?



On Thu, Jul 9, 2009 at 1:26 PM, Marvin Addison <[hidden email]> wrote:
> I understand that CAS only deals with the authentication part, but to
> CASsify an existing application fully I still have to deal with roles. And I
> am totally confused as to where to set things now.

That is correct, CAS has no direct support for authorization.  But it
can provide data, e.g. for authorization, to clients via the attribute
release mechanism,
http://www.ja-sig.org/wiki/display/CASUM/Attributes.  It is entirely
within the purview of the client application to consume the data and
make authorization decisions.  That's why Andrew suggested a framework
such as Spring security.  You don't have to use that, but you do have
to use _something_.  Just happens that Spring Security is a good
something.

M

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
Marvin Addison

Re: [cas-user] CASsify application with role-based security constraints in web.xml?

Reply Threaded More More options
Print post
Permalink
> Would it make sense for us to have the wrapper filter configured such that
> it responds to requests about role information by checking the principal's
> attributes?

I think such a feature would be excellent for facilitating
authorization use cases.  Since attributes can be for a number of
purposes including authorization, the filter should support allowing a
list of the attributes that should be treated as authorization roles.
A "role prefix" similar to Spring Security might be nice as well.

M

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
Free Embeddable Forum Powered by Nabble Help